Dan Harkins writes: > > I would be strongly against for including support for protocol which > > has been obsoleted 7 years ago. If people want to use this kind of > > groups in IKEv1 they can use the new group mode and negotiate groups > > on the fly. There is no need to add them to IKEv1. > > In spite of this designation IKEv1 is still widely used and I would posit > that it is used more than IKEv2.
It is widely used, but that does not mean we need to keep adding everything there. I do not think that is that much more widely implemented anymore. I would expect most of the implementations do support both IKEv1 and IKEv2, thus adding features to IKEv2 is enough. > IKE already has the way to handle new domain parameter sets that are > publicly defined and that is through the IANA registry. Your suggestion to > use New Group Mode to use brainpool ECC groups would only hamstring > IKEv1 and make it harder to use. I think otherwise, as using new group mode allows using them without changing any single line of code, provided the IKEv1 implementation do support ECP groups at all (and support the new group mode which is SHOULD). This is exactly why new group mode was made a SHOULD in the IKEv1, i.e. to allow adding new groups without need to changing the specification or the actual code. I agree that there might be implementations which do not support it, and for example I think we disabled it from our implementation when we added IKEv2 support, as we wanted to keep the feature set provided by our implemenation about the same regardless whether IKEv1 or IKEv2 is used, and IKEv2 do not support such feature. > It would be a blunt club to force people into doing something that > they haven't decided to do on their own (to your apparent chagrin). I agree on that. I do try to convince to switch to IKEv2, as it is MUCH better protocol and works much more robustly and has standarized features for things which IKEv1 only has multiple non-standardized non-interoperable protocols. > The IETF does not have a lot of success at forcing people to do things > they do not want to do on their own and I think this sort of thing is > somewhat inappropriate. We do not need to keep adding features to the old obsoleted protocoles either. > Why there are two identical repositories to map unsigned shorts to > complete domain parameter sets is beyond me but there are. These > two repositories have been updated in concert in the past and and there > is no good reason to have them diverge now. There is multiple repositories for diffie-hellman parameters. IKEv1, IKEv2, EAP-EKE, and in addtion SSH, TLS etc have their repositories etc. Registries are cheap, there is no point of reusing them for completely different purposes. -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
